At RiskLens, we closely track the environment for incident response costs, fines, judgments, credit-monitoring costs and the other fallout of data breaches. The ongoing financial disclosures by Equifax, victim of the massive breach that started in May, 2017, is the biggest window we’ve seen into the magnitude of probable impact that any organization could suffer from this kind of cyber attack.
The company just issued its quarterly financials for Q1 2019 and here are some sobering numbers that make a cautionary tale for CISOs about the necessity to assess your organization's probable loss exposure with the recognized standard for cyber risk quantification, the FAIR model. If any C-suite or board were shown the probability of these kinds of losses in financial terms in a quantitative risk analysis, it would be instant justification for the appropriate level of investment in security, no debate.
$1.35 Billion Total Costs Since the 2017 Breach Legal costs, forensics, remediation and technology upgrades added up to this amount in the past two years, and the spending is hardly over. For some points of comparison, Equifax’s revenue in 2018 totaled $3.4 billion, its net income was $300 million and its spending on security and technology upgrades in 2018 came to $307 million.
$786 Million in Q1 Related to the 2017 Breach, Including…
$690 Million Set Aside in Q1 for Legal Matters
Equifax booked this accrual to cover “adverse judgments, settlements, penalties or other resolution of the proceedings and investigations”, and its Q1 report stated that even this amount might not be sufficient when all the court and governmental action concludes. Reportedly, some 2,500 lawsuits have been filed against the company by individuals and government agencies. The company recently reached confidential settlement terms in the consumer federal class action cases and is waiting on court approval. Besides the settlement payments, Equifax paid $12.5 million to attorneys and investigators in the first quarter for ongoing work on the 2017 breach.
$82.8 Million Investment in Q1 for Technology and Data Security
This covers costs to “transform our technology infrastructure and improve application, network, data security, and the costs of development and launch of Lock and Alert,” the company’s offering to consumers to quickly shut off access to credit reports to prevent identity thieves from opening fake credit accounts.
$1.5 Million in Free Credit Monitoring Services in Q1
Equifax continues to pay for credit monitoring for consumers as a result of the breach, under its TrustedID program.
$3.2 Billion Loss in Market Capitalization Since 2017
Equifax’s stock value peaked just before the announcement of the breach in July, 2017, at $17.6 billion and recently closed at $14.4 billion. While there’s no one-to-one relation between the stock movement and breach fallout, clearly there’s an effect; in addition to the hit to net income in 2018, the company suspended a stock buyback and froze dividend payment.
Related:
SEC Tells Public Companies to Up Their Game in Assessing and Disclosing Cyber Risks
WSJ: One Year Out, “Uneven” Response to SEC Cybersecurity Guidance